Connect with us

Hi, what are you looking for?



Researcher Gets $5,000 for XSS Flaw in Google Apps Admin Console

A serious cross-site scripting (XSS) vulnerability plaguing the Google Apps administrator console was patched by the search giant a few months ago.

A serious cross-site scripting (XSS) vulnerability plaguing the Google Apps administrator console was patched by the search giant a few months ago.

The Google Apps console allows administrators to manage their organization’s account. Admins can use the console to add new users, manage security settings and enable Google services. The feature is utilized by many businesses that use Gmail as their email service.

When users access a service that hasn’t been configured for their domain, they are presented with a “ServiceNotAllowed” page. This page allows users to switch between accounts (they must be logged into at least two) in order to log in to the service.

The problem, according to security researcher Brett Buerhaus, was that when one of the accounts was selected, a piece of JavaScript code was executed in order to redirect the Web browser. JavaScript code could be supplied by the user in the “continue” parameter of the URL, which allowed XSS attacks.

“The continue request parameter is fairly common request variable in the Google login flow. This is the only page that I could find that did not validate the URL passed into it,” Buerhaus explained in a blog post published on Wednesday.

According to the expert, an attacker could have exploited this vulnerability to perform various actions. He could have forced an administrator to create new users, disable security settings for individual accounts (including two-factor authentication), and modify domain settings. An attacker could have also hijacked accounts by resetting their password, disabling two-factor authentication, and removing login challenges temporarily (for 10 minutes).

Buerhaus identified the flaw on the domain on September 1 and reported it to Google on the same day. The company confirmed the existence of the vulnerability a few days later and fixed it on September 18. Google rewarded the researcher with $5,000 for responsibly disclosing the bug.

Advertisement. Scroll to continue reading.

“Cross-Site Scripting (XSS) is generally perceived to be a weaker attack than higher severity vulnerabilities such as Remote Code Execution, SQL Injection, etc. Rightfully so, as those vulnerability types can generally cause more damage and are more likely to give attackers sensitive information or complete access to your systems. But that perception has made a lot of developers underestimate the potential harm that can be caused by XSS,” Buerhaus told SecurityWeek.

“With this specific vulnerability, there’s a little bit of social engineering involved to convince an admin, who is actively logged in, to visit a page with a malicious payload or to convince them to click on a link to your malicious payload. But despite that, the outcome is devastating as it completely bypasses the security that Google provides to its accounts and gives the attacker complete access to either your admin panel or any user’s email, calendar, or any other Google service associated with it,” the researcher noted.

In an attack scenario described by the expert, the hacker knows that the targeted company’s employees are registered behind Google Apps and they use Gmail for company communications. The attacker can determine this through a domain scan or a DNS lookup.

Buerhaus explained, “If your end-goal were to target the CEO of their company and you know the email name convention that they use — most companies use a naming convention that makes this very easy (e.g. first letter of first name, last name, @ — you could construct the attack this way:”

“When the admin loads a link containing the JavaScript payload that you constructed, it would reset the password on the CEO’s account to whatever you supply and also disable 2FA and login challenges. This would allow you to log into the account and bypass any security measure that usually exists for all regular Google accounts,” he added. “At this point you can read all of their emails, their calendar, etc.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.